Last week's (May, 6th 2002) Security Adviser article in InfoWorld was near and (not so) dear to my heart and hopefully yours.
cross_site_scripting.archive.html - This page details sites who are open to CSS attacks *including AOL, and Real.com* this page is run by SkyLined a self professed h4x0r
community.whitehatsec.com - Who has just released thier Linux-based WhiteHat Arsenal 1.05 test suite for profiling your site against CSS attacks
grep
Mandy Andress goes over many of the points we have discussed here at the Monastary, and some new points, but also brings it home with some very public examples (eg. eBay, Cybercash, VeriSign).
She also directly mention sites like here (sites for coders) where preventing CSS attacks, becomes a game of balance between your user's freedom and thier security. Hat's off to the developers here for working on that balance.
There are some other interesting links in her article
Hopefully this article shows to all that this problem is not going away. So if you developing a website and take user input to be displayed. You should read this.
grep
| Unix - where you can throw the manual on the keyboard and get a command |
Back to
Meditations